On March 1, 2017, New York’s Cybersecurity Regulation (23 NYCRR Part 500)[1] became effective.  The regulation is the first of its kind in the nation and requires certain companies, including banks, insurance companies and other financial services institutions regulated by the Department of Financial Services (“Covered Entities”), to have:

• a cybersecurity program designed to protect consumers’ private data;
• a written policy or policies that are approved by the Board of Directors or a senior officer;
• a Chief Information Security Officer to help protect data and systems; and
• in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.[2]

In addition, pursuant to the regulation, Covered Entities must report a cybersecurity event if (a) the event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.  Details regarding what makes up such an event are detailed on the New York Department of Financial Services website.[3]

Covered Entities were required to be in compliance by August 28, 2017, unless otherwise specified. By February 15, 2018, Covered Entities are required to submit an annual certification attesting that they have complied with the regulation.[4]

While the regulation does not specify who must sign the annual certification, the form appended to the regulation requires either the “Board of Directors” (rather than merely one Director) or “Senior Officer(s)” to sign. The signer must have reviewed documents, reports, certifications and opinions of officers, representatives, outside vendors and other individuals as necessary.  Problematically, if the Covered Entity elects that the Board of Directors sign the annual certification, the certification process would likely become very time-consuming for the Board.[5]  On the other hand, the regulation’s definition of “Senior Officer” states that the individual(s) must be “responsible for management, operations, security information, systems, compliance and/or risk of the company,” indicating that, particularly in larger institutions, numerous Senior Officers may be required to sign.[6]

Pursuant to the regulation, insurance companies, agencies, brokerages and producers doing business in New York – even those who qualify for a limited exemption – are required to create and maintain cybersecurity programs to protect the confidentiality and integrity of their information systems.

Insurers are likely to face several issues. First, compliance with the regulation will require resources “that may need to be diverted from core business activities, plus expertise that not all organization possess.”[7]  Due to a shortage of cybersecurity expertise, insurers will likely be required to pay significant sums in order to retain the necessary cybersecurity experts needed to meet the regulation’s requirements.[8]  According to some reports, total Chief Information Security Officer compensation at large firms may exceed $1 million.[9]  Furthermore, the regulation places a heavy reporting requirement on insurers that will likely be costly with regard to ensuring that the companies maintain up-to-date technology and employee training.[10]  If the insurance company chooses to outsource elements of the cybersecurity assessment, monitoring and other activities required pursuant to the regulation, the Covered Entity still remains responsible for security and compliance.[11]

New York’s cybersecurity regulation is seen as providing a model for other jurisdictions in the future.

[1] New York State Department of Financial Services 23 NYCRR 50, available at http://dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf (last viewed on Dec. 5, 2017).

[2] Department of Financial Services, Press Release: DFS Cybersecurity Regulation Compliance Requirements are Effective Today, Aug. 28, 2017, available at www.dfs.ny.gov/about/press/pr1708281.htm (last viewed on Dec. 5, 2017).

[3] Department of Financial Services, Frequently Asked Questions Regarding 23 NYCRR Part 500, available at http://www.dfs.ny.gov/about/cybersecurity_faqs.htm (last viewed on Dec. 5, 2017).

[4] A list of additional deadlines by which Covered Entities must be in compliance with various sections of the regulation can be found at  http://www.dfs.ny.gov/about/cybersecurity.htm (last viewed on Dec. 5, 2017).

[5] Kade N. Olsen and Craig A. Newman, DFS Cyber Regulation Countdown: Who Should Certify Compliance?, Patterson Belknap Data Security Law Blog, Aug. 14, 2017, available at https://www.pbwt.com/data-security-law-blog/dfs-cyber-regulation-countdown-who-should-certify-compliance (last viewed on Dec. 5, 2017).

[6] Id.

[7] Anthony Ferrante and Jim Wrynn, What Insurance Companies Need to Know about Part 500 Cybersecurity Compliance, Insurance Journal, October 17, 2017, available at https://www.insurancejournal.com/news/east/2017/10/10/466958.htm (last viewed on Dec. 5, 2017).

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[View source.]